ci(deps): bump actions/setup-node from 4 to 6

[dependabot]

Bumps actions/setup-node from 4 to 6.

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in actions/setup-node#1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

• 2028fbc Limit automatic caching to npm, update workflows and documentation (#1374)
• 1342781 Bump actions/publish-action from 0.3.0 to 0.4.0 (#1362)
• 89d709d Bump prettier from 2.8.8 to 3.6.2 (#1334)
• cd2651c Bump ts-jest from 29.1.2 to 29.4.1 (#1336)
• a0853c2 Bump actions/checkout from 4 to 5 (#1345)
• b7234cc Upgrade action to use node24 (#1325)
• d7a1131 Enhance caching in setup-node with automatic package manager detection (#1348)
• 5e2628c Bumps form-data (#1332)
• 65becef Bump undici from 5.28.5 to 5.29.0 (#1295)
• 7e24a65 Bump uuid from 9.0.1 to 11.1.0 (#1273)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Claude Code Review

Summary

This PR upgrades actions/setup-node from v4 to v6 in the E2E workflow. This is a low-risk dependency update from Dependabot that brings important security fixes and features. The upgrade is safe to merge with one minor consideration regarding automatic caching behavior.

Overall Assessment: ✅ APPROVED - The change is minimal, well-isolated, and the breaking changes in v6 do not negatively impact this repository's workflows.

---

Issues by Severity

🔵 Minor Issues

1. Automatic npm caching may be redundant but harmless

In v6.0.0, setup-node now automatically detects and enables caching when a packageManager field exists in package.json. However:

• ✅ Neither e2e/package.json nor components/frontend/package.json have a packageManager field
• ✅ Explicit cache: 'npm' configuration is still supported and takes precedence
• ✅ The workflow already explicitly specifies cache-dependency-path, which works correctly in v6

Impact: None. The existing explicit cache configuration (cache: 'npm') will continue to work as expected.

Reference: setup-node v6 release notes state that automatic caching only activates when packageManager field is present in package.json, which is not the case here.

---

Positive Highlights

✅ Security improvements - v6 includes upgraded dependencies with security fixes (form-data vulnerability fix, undici upgrade)

✅ Consistent upgrade - Both workflows using setup-node are now on v6:

• .github/workflows/e2e.yml (this PR)
• .github/workflows/frontend-lint.yml (already upgraded via Clean up GitHub Actions workflows #355)

✅ Backward compatible - All existing workflow configurations remain valid:

• node-version: '20' works correctly
• cache: 'npm' explicitly specified
• cache-dependency-path properly configured

✅ Runner compatibility - GitHub-hosted runners (ubuntu-latest) are guaranteed to meet the v2.327.1+ requirement for node24 runtime

✅ Well-tested upstream - setup-node v6 has been stable since October 2024 with no major issues reported

---

Recommendations

✅ Safe to merge immediately

No action items required. The upgrade is fully compatible with existing workflows.

Optional future optimization (not required for this PR)

Consider adding packageManager: "npm@10.x" to package.json files in the future to leverage v6's automatic package manager detection feature. This would allow:

• Removal of explicit cache: 'npm' configuration
• Automatic version pinning of npm itself
• Alignment with Corepack standards

However, this is purely optional and offers no functional benefit over the current explicit configuration.

---

Technical Analysis

What changed:

• Single line: uses: actions/setup-node@v4 → uses: actions/setup-node@v6
• Scope: E2E test workflow only

Breaking changes in v6 that DON'T affect this repo:

1. ❌ Automatic caching limited to npm only (we use npm ✅)
2. ❌ Requires runner v2.327.1+ (GitHub-hosted runners already meet this ✅)
3. ❌ Requires packageManager field for auto-caching (we don't have it, using explicit cache ✅)

Dependency upgrades included in v6:

• ts-jest 29.1.2 → 29.4.1
• prettier 2.8.8 → 3.6.2
• uuid 9.0.1 → 11.1.0
• undici 5.28.5 → 5.29.0
• form-data (critical vulnerability fix)

Testing confidence:

• ✅ Identical configuration already tested in frontend-lint.yml workflow
• ✅ No changes to package.json or lock files
• ✅ No changes to caching behavior (explicit configuration takes precedence)
• ✅ GitHub Actions will validate on PR

---

Recommendation: ✅ Approve and merge - This is a routine, safe dependency update with security benefits and no compatibility risks.